<div dir="ltr">Thanks Dolph,<div><br></div><div>I now have a pretty clear picture about it.</div><div><br></div><div>Br,</div><div><br></div><div>Tuan/Nokia</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 10, 2017 at 2:58 PM, Dolph Mathews <span dir="ltr"><<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The token itself is still expired, regardless of where it's persisted, if at all. Expired tokens are only considered valid when presented as an X-Auth-Token to keystonemiddleware.auth_token along with a valid X-Service-Token, or when validating an X-Subject-Token against keystone directly using either:<div><br></div><div>  HEAD /v3/auth/token?allow_expired<br></div><div>  GET /v3/auth/token?allow_expired<div><br></div><div>No configuration is required in keystone.conf to enable the feature.<br><div><br></div><div>More documentation is available in the release notes [1][2] and in the sample configuration file [3] (see [token] allow_expired_window).</div><div><br></div><div>[1] <a href="https://docs.openstack.org/releasenotes/keystone/ocata.html#new-features" target="_blank">https://docs.openstack.org/<wbr>releasenotes/keystone/ocata.<wbr>html#new-features</a><br></div><div>[2] <a href="https://docs.openstack.org/releasenotes/keystone/ocata.html#upgrade-notes" target="_blank">https://docs.openstack.org/<wbr>releasenotes/keystone/ocata.<wbr>html#upgrade-notes</a><br></div><div>[3] <a href="https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html" target="_blank">https://docs.openstack.<wbr>org/ocata/config-reference/<wbr>identity/samples/keystone.<wbr>conf.html</a></div></div></div></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn <<a href="mailto:tuantuluong@gmail.com" target="_blank">tuantuluong@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_904602888324397374gmail_msg">Hi Dolph,<div class="m_904602888324397374gmail_msg"><br class="m_904602888324397374gmail_msg"></div><div class="m_904602888324397374gmail_msg">Thanks for reply, it means that from the db point of view, token is expired but it is still passed to other service users in request (token stored in memory?) and keystone allows this expired token? And to make this feature working, we should apply the header of "X-Service-Token" and change of "allow_expired" in keystone.conf.<br class="m_904602888324397374gmail_msg"><br class="m_904602888324397374gmail_msg">Br,</div><div class="m_904602888324397374gmail_msg"><br class="m_904602888324397374gmail_msg"></div><div class="m_904602888324397374gmail_msg">Tuan/Nokia</div></div><div class="gmail_extra m_904602888324397374gmail_msg"><br class="m_904602888324397374gmail_msg"><div class="gmail_quote m_904602888324397374gmail_msg">On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <span dir="ltr" class="m_904602888324397374gmail_msg"><<a href="mailto:dolph.mathews@gmail.com" class="m_904602888324397374gmail_msg" target="_blank">dolph.mathews@gmail.com</a>></span> wrote:<br class="m_904602888324397374gmail_msg"><blockquote class="gmail_quote m_904602888324397374gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_904602888324397374gmail_msg"><span class="m_904602888324397374gmail_msg"><div class="m_904602888324397374gmail_msg"><span style="color:rgb(62,67,73);font-family:arial,sans-serif;font-size:14.4px" class="m_904602888324397374gmail_msg">> </span><span style="color:rgb(33,33,33)" class="m_904602888324397374gmail_msg">does it mean that the token now will live forever</span></div><div class="m_904602888324397374gmail_msg"><span style="color:rgb(62,67,73);font-family:arial,sans-serif;font-size:14.4px" class="m_904602888324397374gmail_msg"><br class="m_904602888324397374gmail_msg"></span></div></span><div class="m_904602888324397374gmail_msg"><span style="color:rgb(62,67,73);font-family:arial,sans-serif;font-size:14.4px" class="m_904602888324397374gmail_msg">No; it behaves as described in the document you linked. If you have any specific security concerns, please raise them appropriately (such as a security bug, if necessary).</span></div></div><br class="m_904602888324397374gmail_msg"><div class="gmail_quote m_904602888324397374gmail_msg"><div class="m_904602888324397374gmail_msg"><div class="m_904602888324397374m_6187141677295298134h5 m_904602888324397374gmail_msg"><div dir="ltr" class="m_904602888324397374gmail_msg">On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <<a href="mailto:tuantuluong@gmail.com" class="m_904602888324397374gmail_msg" target="_blank">tuantuluong@gmail.com</a>> wrote:<br class="m_904602888324397374gmail_msg"></div></div></div><blockquote class="gmail_quote m_904602888324397374gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_904602888324397374gmail_msg"><div class="m_904602888324397374m_6187141677295298134h5 m_904602888324397374gmail_msg"><div dir="ltr" class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">Hi keystone folks,<div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"></div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">I have had a chance to take a look to this below patch for allowing the expired token and it was merged in Octaka:</div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"></div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"><a href="https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html" class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg" target="_blank">https://specs.openstack.org/<wbr>openstack/keystone-specs/<wbr>specs/keystone/ocata/allow-<wbr>expired.html</a><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"></div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"></div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">In our project, we also have problem with token expiration when running mistral workflow. I have a concern that if this patch works as it does, does it mean that the token now will live forever ("forever" seems so sloppy, but it seems like the token is no longer expired). In this case, it seems not good for security purpose.</div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"></div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">Br,</div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg"></div><div class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">Tuan/Nokia</div></div></div></div>
______________________________<wbr>______________________________<wbr>______________<br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><span class="m_904602888324397374m_6187141677295298134HOEnZb m_904602888324397374gmail_msg"><font color="#888888" class="m_904602888324397374gmail_msg"><br class="m_904602888324397374m_6187141677295298134m_6211678702564853496gmail_msg m_904602888324397374gmail_msg">
</font></span></blockquote></div><span class="m_904602888324397374m_6187141677295298134HOEnZb m_904602888324397374gmail_msg"><font color="#888888" class="m_904602888324397374gmail_msg"><div dir="ltr" class="m_904602888324397374gmail_msg">-- <br class="m_904602888324397374gmail_msg"></div><div data-smartmail="gmail_signature" class="m_904602888324397374gmail_msg"><div dir="ltr" class="m_904602888324397374gmail_msg">-Dolph</div></div>
</font></span><br class="m_904602888324397374gmail_msg">______________________________<wbr>______________________________<wbr>______________<br class="m_904602888324397374gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="m_904602888324397374gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="m_904602888324397374gmail_msg" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br class="m_904602888324397374gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="m_904602888324397374gmail_msg" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br class="m_904602888324397374gmail_msg">
<br class="m_904602888324397374gmail_msg"></blockquote></div><br class="m_904602888324397374gmail_msg"></div>
______________________________<wbr>______________________________<wbr>______________<br class="m_904602888324397374gmail_msg">
OpenStack Development Mailing List (not for usage questions)<br class="m_904602888324397374gmail_msg">
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" class="m_904602888324397374gmail_msg" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br class="m_904602888324397374gmail_msg">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" class="m_904602888324397374gmail_msg" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br class="m_904602888324397374gmail_msg">
</blockquote></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">-Dolph</div></div>
</div></div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br></div>